We'll be implementing Cisco NAC guest server for Guest Wireless users, ( Model #3310), the question is do we need to configure separate physical interface for User authentication requests( from Wireless ) and a separate Interface for Guest server to talk to AD for SSO?
View 2 Repliesdo i still need ACS if i have the NAC appliance say 3310.
View 3 Replies View RelatedYesterday I discovered the primary and secondary CAS were both in active state and reporting their fellow peer as dead (I did this using ./fostate.sh), causing authentication errors on the network. I had to stop the perfigo process on the primary one to restore service.
After closer investigation I have discovered that when I put my laptop on the same subnet as their eth2 interfaces (eth0, eth1 and serial are not used for heartbeat only eth2), I can ping the eth2 ip address for the primary device, but can't ping that of the secondary device. See configs and outputs below. I am also wondering why the secondary CAS shows its eth0 and eth1 interfaces as fake0 and fake1.
[root@CAS-SEC ~]# ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:1F:29:5D:1C:6C
inet addr:172.29.254.10 Bcast:172.29.254.11 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11205 errors:0 dropped:0 overruns:0 frame:0
[code].....
I'm trying to configure the NAC Profiler with a 3310 CAS Collector. In the "Edit Collector" menú, it shows all the modules as "Running", except for the NetWatch module which shows a state "Invalid configuration file (missingInternalAddress)".
I configured the eth3 interface of the CAS as a monitor interface in the Profiler (see attached image), and I tested that the SPANed traffic actually reaches that interface from the access switch. I'm using software version 3.1.0_24 in both the Profiler and the Collector.
We have to enable FIPS 140-2 on our ASA5520's for all our IPSEC VPN connections. We currently have failover on our 5520's. I found a lot of information out there but some seems to conflict one another.What are the things I need to look out for - caveats? Does the clients that connect to the VPN had to use different clients once the FIPS was enabled.Do we need to recreate logical interfaces for each physical interface we have?
View 1 Replies View RelatedI installed a WLAN with a WLC 2504 and 1140 APs. My network is configured the following way. 10.10.X.X/8. Port 1 on my WLC has the following interfaces management with the ip address 10.10.X.5 and the virtual interface. I have one secure SSID on the management interface. DHCP is done on my Sonicwall firewall. I was advised to create a second interface called AP-Manager and i have the following questions:
1. Do i create a new port or do I create the AP-Manager interface on the same port as my other interfaces?
2. Once i create the new interface of AP-Manager, will my APs migrate over to this interface?
3. Do i need to create the AP-Manager interface or leave all my AP's on the management interface?
4. Second do I need to create a services interface and if yes, on port 1?
I also need to create a guest network that would have the ip scheme of 172.16.X.X and have the guest authicated by level 3 web authication.
1. Do i create my guest interface on port1 or create a new port?
2. DO i need to point my DNS of the interface to the virtual interface.
what is the best configuration betwen vmware ESX server with 10 Physical NIC card and cisco 6500 , This ESX Server host 12 vm with VLAN 100,150.200
View 10 Replies View RelatedI have Internet connection in Ethernet Medium connected to a L2 Switch (Cisco 2960). I have 2 Routers (Cisco 2900). I have a webserver to be accessed from Internet. The physical IP address of the server is Private range.
I have configured Stateful NAT as below
157.220.100.61 is Static NAT to 10.1.1.3 using redundancy
Though HSRP is working good, when RTR-1 is down, I am not able to reach Webserver (10.1.1.3) using RTR-2
We found in the that ISP Switch, that even when RTR-1 is down, the MAC address for 157.220.100.61 is still present one pointing to RTR-1 and other pointing to RTR-2. There are 2 MAC address entries for 157.220.100.61
I have 2 dmz interfaces(dmz1 and dmz2) with security level 50. I am able to ping the hosts on dmz2 from dmz1. I am running a service on a dmz2 host on port 82 but i am not able to access that service from dmz1. Also, i have an inside interface at security lever 99 which is able to access that service.
Also, i have defined the following command to allow same security level communication.
same-security-traffic permit inter-interface
I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]
I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.
We have two multilayer switches and only one ASA 5520. I'd like to connect ASA in the way described on the picture: each redundant interface includes two physical ones, which are connected to different switches
My question is what kind of link it is necessary to have between switches to make this idea work? I'd have subinterfaces like Re1.100, Re2.200 and so on for my traffic.
I understand that correct design approach is to have two redundant firewalls with failover but we cannot purchase the second one yet.
I use 3 interfaces on an ASA 5510. First interface is Lan, Second interface is Outside, Third interface is ADSL The Outside interface is used for VPN L2L and smtp traffic. (Leased line on router managed by ISP)The Adsl interface is used for Http traffic. (Adsl Cisco router) I use this configuration found on another forum subjet for routing.route outside 0.0.0.0 0.0.0.0 x.x.x.x 1route adsl 0.0.0.0 0.0.0.0 y.y.y.y 2 nat (inside) 1 0 0global (outside) 1 interfaceglobal (Adsl) 1 interface static (Adsl,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0 The problem is now I have an www intranet server on the VPN remote site. How i can exempt the http traffic to the intranet server routed through Adsl interface?
View 7 Replies View RelatedI am having big problems trying to get what should be a rather simple configuration to work.I have a Cisco 2901 Router and have setup Zone Based Firewall on this.Traffic from the 192.168.223.x network does not pass through to the 192.168.1.x network.my traffic appears to disappear down the big bucket...Interesting I can ping machine on 192.168.223.0/24 network from the 192.168.1.0/24,So the static routes setup on the router on the 192.168.1.0/24 appear to be routing ok.
View 4 Replies View RelatedI have ASA 5585 with SSP20. I want to enable same security level subinterfaces (routed mode) to communicate with each other.
I have put below command at global level but somehow it is not happening.
hostname(config)# same-security-traffic permit inter-interface
Do I also need to check for NATing or some other things apart from above command?
Do i need to create 2 objects for nating a server to 2 different interfaces?That is an inside server published in two different dmzsAutomatic migration to 8.3 creates 2 objects (one for each nat)Can I do the same with only one object? like this or I need an object for each nat?
object network server
host 192.168.128.10
nat (inside,dmz) static 172.24.1.10
nat (inside,dmzguests) static 10.10.0.10
My company ordered NAC and ACS 1120 My question is Can i configure 802.1X security through ACS server and NAC in layer 2 Inband Virtual Gateway.for campus switches.Is it the good design to have double security for switch ports. 1st is 802.1X and 2nd is NAC in layer 2 INBAND VG?
View 1 Replies View RelatedI have c3725 router that have two WAN interfaces, both of which I want to serve VPN clients. However, I have only one default route, say for WAN1, so how can I accept client requests on WAN2.
ps: I use vpdn and pptp, and I'm a newbie to Cisco router and IOS.
I have 3 4400 WLC's that implemented at 1 main site within a mobility group. I am looking at implementing wired guest authentication with a splash page for username and password access. I have followed the documents and suggestions about how to configure it. I created a layer 2 vlan (700) and then created a VLAN (151) that wired guests will get an IP address from. I then configured a WLAN with the ingress interface being VLAN 700 and the egress interface being VLAN 151.
All of my controllers are running code 7.0.116.0. When I go to do a test scenario with a wired client, I have the switchport setup for VLAN 151, which they get an IP address from, but when they try to go to the Internet, they don't get the splash page. Why I am not getting a splash page or even if this scenario is possible?
MSE can not boot.MSE show error log. [code] How to recovery MSE 3310,I find in documents not show method recovery. Any solution recovery MSE 3310
View 2 Replies View RelatedI performed a software reboot on the MSE3310. After the reboot the MSE was no longer visible on the network. I went and consoled into the device and it was operational. I ran the msed stop and msed start commands. I got this message when it tried to load eth0.Bringing up interface eth0: e1000 device eth0 does not seem to be present, delaying initialization.Earlier in the day I had updgraded the firmware from 6.0 to 7.0.230.0.
View 6 Replies View RelatedI've got an MSE 3310 that came with four-post rails for rack mounting. These came without instructions and we are having a hard time figuring out exactly how they work. They say General Devices C-300-S-124-RC-MOD
View 4 Replies View RelatedI'm having problems settting up a Guest NAC server to authenticate administrative users against a ACS 5.x server. In the ACS RADIUS Authentication log, I can see the user authentication is successful.In the AAA Diagnostics log, I can see the following warning:An Access-Request MUST contain either a NAS-IP-Address or a NAS-Identifier or both; Continue processing.
View 2 Replies View RelatedI recently configured CISCO 3310 box with MSE version 7.2. Services are up and running in the box, I could add the MSE to WCS and also able to track the location using WCS. However, I could not connect the third party software to MSE web services to get the location information there. When I hit the server url "https://<my mse>" I get list of possible services like:
Error 404 - Not Found.No service matched or handled this request.
Known services are:
http://my server:8880/hs/
http://my server:8880/mdp/
http://my server:8880/admin/
[code]....
I browsed through the documentation (CAS_71.pdf) and found a text saying:
Note Port 80 will be enabled on the MSE if the enable HTTP command was entered on MSE. Ports 8880 and 8843 will be closed on the MSE when the CA-issued certificates are installed on the MSE. I am running the test system so I do not really want to install CA signed certificate, so I used self signed certificate and restarted the server, but it did not work.
Why do need Cisco NAC guest server when we have WLC 5508 already configured. The Guest user access can be given by the WLC itself too. We can create users in WLC also and grant access to the user to access internet for specific time frame. My query is - what is so different in Cisco NGS that it is considered good in terms of Guest users access. What are the advatages of NGS.
View 4 Replies View RelatedCan use ACS 5.2 as Guest user authentication server?
View 3 Replies View RelatedSo have a wireless guest network on an N600 router. Here is my setup:
pf sense -> untangle -> switch <- N600
the N600 is just an access point and does no DHCP. The primary wireless network gets IP no problem but the guests are not getting an IP. I'm assuming the N600 has no way of issuing an IP on the guest network. how to set a DHCP server on the guest network and have a static route to the pfsense firewall from that network.
I am getting a hard time in order to understand the real difference between the two types of context aware licenses for the MSE:
1 . AIR-CAS-1KC-K9 - Context Aware License For 1K Clients and Tags (RSSI based)
2. AIR-CAS-1KT-K9 - Context Aware License For 1K Tags(RSSI, Chokeponts and TDOA)
For a regular network without any devices with tags such as RFID, I understand I do not need to get the .2, only .1, even though the .1 also is shared with clients at 1K of each. Also, the .2 does not say clients, only tags and advanced features as TDOA. Going through the Q&A it does not clearly says the difference, when to use one or the other.
The rouge access points being detected by the 5508 WLC are not showing up on the Context Aware tab of NCS? I have a MSE 3310 installed and configured and it shows to be syncronizing with the WLC. I'm sure I am missing some part of the configuration just not sure where.
View 3 Replies View Relatedi see there is an option to "allow password change" or "force password change" for guest roles in the NGS. But when i created a guest account using this guest role, after webauthentication , there is no prompt to change password. Is this the intended behaviour or is there anything else that i need to configure. Looking at it, i am not sure how the NGS would allow a "guest user" to really overwrite the password by allowing password change. ? is that not a security risk as well for the NGS ? my setup has 5508 anchor controller and NGS communicating via RADIUS.
View 7 Replies View RelatedI installed NGS 2.0.2 for wireless guest user management and authentication. I implement webauth via webauth page on wlc deployed.One Branch with a WLC5508 version 7.0 wireless anchor controller is working on the NGS.But now I integrate next branch with WLC4402 version 6.0.188 and the authentication of users at the new branch gets an error, wrong user/password.
I double checked configuration and user/password but I can't find any configuration error. Also stopping and starting of radius service and reboot of NGS still does not work. I tried to debug the radius via web interface and watched for the loggfile and there is still a reject.I also tried the freeradius command radiusd -X but I got an error when starting the radiusd -X.
1.) How can I figure out, if I will get the correct password from my WLC ? Are there any debug options to see more ? e.g. some cli commands, radiustest utilities or how to get the received password from the chap challenge of the debug ?
2.) I have appended a part from my radius loggfile. How can I find the detailed error in the radius log file? Is it correct that the password in the debug file is empty ? raiuds logg line "[radius-user-auth] expand: %{User-Password} -> "
I am trying to upgrade an MSE from version 6 to 7.0.201.204. I am able to copy across all the files and have tried using WCS and FTP for the CISCO-MSE-L-K9-7-0-201-0-64bit.bin file but the installation procedure always fails.
I will download all the images again tonight. Is there a way to delete the images from the /opt/installers/ directory?
Also the upgrade procedure in the 7.0.201.204 is pretty bad, there is no detail in any of the steps.
Here is output from the upgrade -
[root@SDC-MSE-01 installers]# dirCISCO-MSE-L-K9-7-0-201-0-64bit.bin database_installer_part3_4.zipdatabase_installer_part1_4.zip database_installer_part4_4.zipdatabase_installer_part2_4.zip
[Code].....
Having an issue with a Cisco Linksys E1500 on a home network. The device has a feature to provide a guest wireless network but the guest network can't get to the internet. A wired connection is fine, as is the normal wireless network but not the guest. The cheesy thing is, that it doesn't list an option for what type of wireless security protocol you want on the guest network. I'm assuming that it uses the same security protocol that the normal wireless network uses, but who knowsEspecially weird is that it asks you what password you want on the guest network but then the guest network show to be insecure when you try to connectthought maybe it was something funky with some of my configurations so I went ahead and factory defaulted it and just set it up with an insecure network for both the normal and guest networks. This didn't solve it. The guest network still couldn't get to the internet. In fact, the guest network can't even ping the router.
View 1 Replies View RelatedAny problems with the guest network on the ea4500 with the cloud firmware? I am losing guest clients after about 24 hours and the re-authentication fails. you enter the guest password and nothing happens until you reboot the router.
View 2 Replies View Related